initial selinux configs

author: Chris St. Pierre <chris.a.st.pierre@gmail.com> 2012-09-14 15:52:52 -0400
committer: Chris St. Pierre <chris.a.st.pierre@gmail.com> 2012-10-03 12:42:32 -0400
commit: 8fa17a93d70ef103db3d8f6a128dd41bbc9bccca (patch)
tree: 14ec7a6194296819cf49a0f57d206ef0e54f55a4 /redhat
parent: 04e7e0c9e9f96b4ba8bdb349cc0a37d9a881a4d2 (diff)
download: bcfg2-8fa17a93d70ef103db3d8f6a128dd41bbc9bccca.tar.gz
bcfg2-8fa17a93d70ef103db3d8f6a128dd41bbc9bccca.tar.bz2
bcfg2-8fa17a93d70ef103db3d8f6a128dd41bbc9bccca.zip
3 files changed, 423 insertions, 0 deletions
diff --git a/redhat/selinux/bcfg2.fc b/redhat/selinux/bcfg2.fc
new file mode 100644
index 000000000..3b551b4a3
--- /dev/null
+++ b/redhat/selinux/bcfg2.fc
@@ -0,0 +1,14 @@
+/etc/rc\.d/init\.d/bcfg2-server --   gen_context(system_u:object_r:bcfg2_server_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/bcfg2        --   gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+
+/usr/sbin/bcfg2-server          --   gen_context(system_u:object_r:bcfg2_server_exec_t,s0)
+/usr/sbin/bcfg2                 --   gen_context(system_u:object_r:bcfg2_exec_t,s0)
+/usr/lib/bcfg2/bcfg2-cron       --   gen_context(system_u:object_r:bcfg2_exec_t,s0)
+
+/var/lib/bcfg2(/.*)?                 gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
+
+/var/run/bcfg2-server\.pid      --   gen_context(system_u:object_r:bcfg2_var_run_t,s0)
+
+/var/lock/bcfg2\.run            --   gen_context(system_u:object_r:bcfg2_lock_t,s0)
+
+/etc/bcfg2.*\.conf              --   gen_context(system_u:object_r:bcfg2_conf_t,s0)
diff --git a/redhat/selinux/bcfg2.if b/redhat/selinux/bcfg2.if
new file mode 100644
index 000000000..9ee23dd4b
--- /dev/null
+++ b/redhat/selinux/bcfg2.if
@@ -0,0 +1,220 @@
+## <summary>bcfg2-server daemon which serves configurations to clients based on the data in its repository</summary>
+
+########################################
+## <summary>
+##	Execute bcfg2-server in the bcfg2 server domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bcfg2_server_domtrans',`
+	gen_require(`
+		type bcfg2_server_t, bcfg2_server_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bcfg2_server_exec_t, bcfg2_server_t)
+')
+
+########################################
+## <summary>
+##	Execute bcfg2-server server in the bcfg2-server domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_server_initrc_domtrans',`
+	gen_require(`
+		type bcfg2_server_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, bcfg2_server_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Search bcfg2 lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_search_lib',`
+	gen_require(`
+		type bcfg2_var_lib_t;
+	')
+
+	allow $1 bcfg2_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read bcfg2 lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_read_lib_files',`
+	gen_require(`
+		type bcfg2_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage bcfg2 lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_manage_lib_files',`
+	gen_require(`
+		type bcfg2_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage bcfg2 lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_manage_lib_dirs',`
+	gen_require(`
+		type bcfg2_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administer
+##	a bcfg2-server environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bcfg2_server_admin',`
+	gen_require(`
+		type bcfg2_server_t;
+		type bcfg2_server_initrc_exec_t;
+		type bcfg2_server_var_lib_t;
+	')
+
+	allow $1 bcfg2_server_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bcfg2_server_t)
+
+	bcfg2_server_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 bcfg2_server_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_var_lib($1)
+	admin_pattern($1, bcfg2_server_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Execute bcfg2 in the bcfg2 domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bcfg2_domtrans',`
+	gen_require(`
+		type bcfg2_t, bcfg2_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bcfg2_exec_t, bcfg2_t)
+')
+
+########################################
+## <summary>
+##	Execute bcfg2 in the bcfg2 domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_initrc_domtrans',`
+	gen_require(`
+		type bcfg2_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, bcfg2_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administer
+##	a bcfg2 client
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bcfg2_client_admin',`
+	gen_require(`
+		type bcfg2_t;
+		type bcfg2_initrc_exec_t;
+		type bcfg2_var_lib_t;
+	')
+
+	allow $1 bcfg2_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bcfg2_t)
+
+	bcfg2_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 bcfg2_initrc_exec_t system_r;
+	allow $2 system_r;
+')
diff --git a/redhat/selinux/bcfg2.te b/redhat/selinux/bcfg2.te
new file mode 100644
index 000000000..3b4fb4e2d
--- /dev/null
+++ b/redhat/selinux/bcfg2.te
@@ -0,0 +1,189 @@
+policy_module(bcfg2, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type bcfg2_t;
+type bcfg2_exec_t;
+init_daemon_domain(bcfg2_t, bcfg2_exec_t)
+
+type bcfg2_server_t;
+type bcfg2_server_exec_t;
+init_daemon_domain(bcfg2_server_t, bcfg2_server_exec_t)
+
+type bcfg2_initrc_exec_t;
+init_script_file(bcfg2_initrc_exec_t)
+
+type bcfg2_server_initrc_exec_t;
+init_script_file(bcfg2_server_initrc_exec_t)
+
+type bcfg2_var_lib_t;
+files_type(bcfg2_var_lib_t)
+
+type bcfg2_var_run_t;
+files_pid_file(bcfg2_var_run_t)
+
+type bcfg2_lock_t;
+files_lock_file(bcfg2_lock_t)
+
+type bcfg2_conf_t;
+files_config_file(bcfg2_conf_t)
+
+########################################
+#
+# bcfg2-server local policy
+#
+
+allow bcfg2_server_t self:fifo_file rw_fifo_file_perms;
+allow bcfg2_server_t self:tcp_socket create_stream_socket_perms;
+allow bcfg2_server_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow bcfg2_server_t self:process setrlimit;
+allow bcfg2_server_t self:capability { setgid setuid };
+
+manage_dirs_pattern(bcfg2_server_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
+manage_files_pattern(bcfg2_server_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
+files_var_lib_filetrans(bcfg2_server_t, bcfg2_var_lib_t, dir )
+
+manage_files_pattern(bcfg2_server_t, bcfg2_var_run_t, bcfg2_var_run_t)
+files_pid_filetrans(bcfg2_server_t, bcfg2_var_run_t, file )
+
+files_search_etc(bcfg2_server_t)
+read_files_pattern(bcfg2_server_t, bcfg2_conf_t, bcfg2_conf_t)
+read_lnk_files_pattern(bcfg2_server_t, bcfg2_conf_t, bcfg2_conf_t)
+
+files_manage_generic_tmp_files(bcfg2_server_t)
+
+kernel_read_system_state(bcfg2_server_t)
+
+corecmd_exec_bin(bcfg2_server_t)
+corecmd_exec_shell(bcfg2_server_t)
+
+dev_read_urand(bcfg2_server_t)
+
+fs_list_inotifyfs(bcfg2_server_t)
+
+domain_use_interactive_fds(bcfg2_server_t)
+
+files_read_usr_files(bcfg2_server_t)
+
+logging_send_syslog_msg(bcfg2_server_t)
+
+miscfiles_read_localization(bcfg2_server_t)
+miscfiles_read_certs(bcfg2_server_t)
+
+auth_use_nsswitch(bcfg2_server_t)
+
+libs_exec_ldconfig(bcfg2_server_t)
+
+# port 6789 was somehow already claimed by cyphesis, whatever that is
+corenet_tcp_bind_cyphesis_port(bcfg2_server_t)
+
+########################################
+#
+# bcfg2 (client) local policy
+#
+
+allow bcfg2_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
+allow bcfg2_t self:process { signal signull getsched setsched };
+allow bcfg2_t self:fifo_file rw_fifo_file_perms;
+allow bcfg2_t self:netlink_route_socket create_netlink_socket_perms;
+allow bcfg2_t self:tcp_socket create_stream_socket_perms;
+allow bcfg2_t self:udp_socket create_socket_perms;
+
+files_search_etc(bcfg2_t)
+read_files_pattern(bcfg2_t, bcfg2_conf_t, bcfg2_conf_t)
+read_lnk_files_pattern(bcfg2_t, bcfg2_conf_t, bcfg2_conf_t)
+
+allow bcfg2_t bcfg2_lock_t:file manage_file_perms;
+files_lock_filetrans(bcfg2_t, bcfg2_lock_t, file)
+
+kernel_dontaudit_search_sysctl(bcfg2_t)
+kernel_dontaudit_search_kernel_sysctl(bcfg2_t)
+kernel_read_system_state(bcfg2_t)
+kernel_read_crypto_sysctls(bcfg2_t)
+
+cron_system_entry(bcfg2_t, bcfg2_exec_t)
+
+corecmd_exec_bin(bcfg2_t)
+corecmd_exec_shell(bcfg2_t)
+
+corenet_all_recvfrom_netlabel(bcfg2_t)
+corenet_all_recvfrom_unlabeled(bcfg2_t)
+corenet_tcp_sendrecv_generic_if(bcfg2_t)
+corenet_tcp_sendrecv_generic_node(bcfg2_t)
+corenet_tcp_bind_generic_node(bcfg2_t)
+corenet_tcp_connect_cyphesis_port(bcfg2_t)
+corenet_sendrecv_cyphesis_client_packets(bcfg2_t)
+
+dev_read_rand(bcfg2_t)
+dev_read_sysfs(bcfg2_t)
+dev_read_urand(bcfg2_t)
+
+domain_read_all_domains_state(bcfg2_t)
+domain_interactive_fd(bcfg2_t)
+
+files_manage_config_files(bcfg2_t)
+files_manage_config_dirs(bcfg2_t)
+files_manage_etc_dirs(bcfg2_t)
+files_manage_etc_files(bcfg2_t)
+files_read_usr_symlinks(bcfg2_t)
+files_relabel_config_dirs(bcfg2_t)
+files_relabel_config_files(bcfg2_t)
+files_manage_generic_tmp_files(bcfg2_t)
+
+selinux_search_fs(bcfg2_t)
+selinux_set_all_booleans(bcfg2_t)
+selinux_set_generic_booleans(bcfg2_t)
+selinux_validate_context(bcfg2_t)
+
+term_dontaudit_getattr_unallocated_ttys(bcfg2_t)
+term_dontaudit_getattr_all_ttys(bcfg2_t)
+
+init_all_labeled_script_domtrans(bcfg2_t)
+init_domtrans_script(bcfg2_t)
+init_read_utmp(bcfg2_t)
+init_signull_script(bcfg2_t)
+
+logging_send_syslog_msg(bcfg2_t)
+
+miscfiles_read_hwdata(bcfg2_t)
+miscfiles_read_localization(bcfg2_t)
+
+mount_domtrans(bcfg2_t)
+
+auth_use_nsswitch(bcfg2_t)
+
+seutil_domtrans_setfiles(bcfg2_t)
+seutil_domtrans_semanage(bcfg2_t)
+seutil_run_semanage(bcfg2_t)
+
+sysnet_dns_name_resolve(bcfg2_t)
+sysnet_run_ifconfig(bcfg2_t, system_r)
+
+optional_policy(`
+        consoletype_domtrans(bcfg2_t)
+')
+
+optional_policy(`
+        hostname_exec(bcfg2_t)
+')
+
+optional_policy(`
+        files_rw_var_files(bcfg2_t)
+
+        rpm_domtrans(bcfg2_t)
+        rpm_domtrans_script(bcfg2_t)
+        rpm_manage_db(bcfg2_t)
+        rpm_manage_log(bcfg2_t)
+')
+
+optional_policy(`
+        unconfined_domain(bcfg2_t)
+')
+
+optional_policy(`
+        usermanage_domtrans_groupadd(bcfg2_t)
+        usermanage_domtrans_useradd(bcfg2_t)
+')
author	Chris St. Pierre <chris.a.st.pierre@gmail.com>	2012-09-14 15:52:52 -0400
committer	Chris St. Pierre <chris.a.st.pierre@gmail.com>	2012-10-03 12:42:32 -0400
commit	8fa17a93d70ef103db3d8f6a128dd41bbc9bccca (patch)
tree	14ec7a6194296819cf49a0f57d206ef0e54f55a4 /redhat
parent	04e7e0c9e9f96b4ba8bdb349cc0a37d9a881a4d2 (diff)
download	bcfg2-8fa17a93d70ef103db3d8f6a128dd41bbc9bccca.tar.gz bcfg2-8fa17a93d70ef103db3d8f6a128dd41bbc9bccca.tar.bz2 bcfg2-8fa17a93d70ef103db3d8f6a128dd41bbc9bccca.zip